Data protection and privacy in beneficial ownership disclosure
The growth of a new norm on ownership transparency
Civil society organizations, businesses and governments across the world are increasingly promoting greater transparency about the ownership of companies as a useful means to stem illicit financial flows and create fairer markets. Yet in many countries, an individual can set up a company anonymously, without having to state who is the ‘real’ (or ‘ultimate beneficial’) owner of that company. This anonymity can lead to complex webs of opaque shell companies and ‘straw persons’, making it almost impossible for anyone – including public authorities – to identify the beneficial owner(s) of a company.
The scale and spread of complex corporate structures and offshore arrangements worldwide have been used to hide illegal activities such as tax evasion, money laundering, and terrorist financing, as demonstrated most visibly by the Panama Papers. In 2013, G8 leaders committed to an action plan addressing the misuse of company arrangements, which included the principle that beneficial ownership (BO) information should be made available to relevant public authorities, and that some information should be publicly accessible. 
Several countries, starting with the UK in 2016, have launched registers of companies’ beneficial ownership, with some making those registers openly accessible to the public. The EU’s adoption of the Fifth Anti-Money Laundering Directive  on 30 May 2018 means that all EU Member States are required to pass legislation creating publicly-accessible registers of beneficial ownership information by 10 January 2020. Meanwhile, the Extractive Industries Transparency Initiative (EITI) now requires member countries to publish the beneficial owners of any company that applies for or holds a participating interest in an oil, gas or mining license or contract in their countries by 2020. 
Elsewhere, companies are being actively encouraged to disclose beneficial ownership data that they collect as part of due diligence investigations into their supply chain, or as part of Know Your Customer initiatives to comply with AntiMoney Laundering (AML) and terrorism financing regulations.4 The OpenOwnership initiative seeks to make all this information more useful by collating existing publicly available and voluntarily disclosed ownership data, with the ultimate objective of creating a global standard for publicly available ownership data and an information source on ultimate beneficial ownership of corporations across the globe.
Public disclosure of ownership data – rationales and risks
Over the past few years, a range of stakeholders, from business to civil society, have promoted public disclosure of beneficial ownership information. The push for public disclosure of beneficial ownership of companies may have many explanations and drivers, but it is founded in great part on a simple proposition: in exchange for the right to a substantial ownership stake in a company – with all the benefits of protection from personal liability that this brings – an owner should reveal their identity. There is nothing inherent to the task of owning a company that would require information about that ownership to be kept private; indeed, there are many proud business owners across the world. Furthermore, because owning a company comes with considerable benefits including limited liability, it is reasonable for authorities to ask for ownership transparency as a quid pro quo.
While there is important momentum toward legal frameworks requiring more ownership transparency, the move towards collection and publication of beneficial ownership information – particularly its availability in public registers – has its critics.
One stumbling block which has emerged is the issue of privacy. Because beneficial ownership data includes data about people, the concern is that the publishing of beneficial ownership information could interfere with or threaten individuals’ rights to privacy and the protection of their personal data. This raises strict legal considerations. Do beneficial ownership registers contravene or conflict with data protection and privacy laws? But it also raises broader questions about whether making beneficial ownership information public is necessary to meet policy goals.
This paper sets out and discusses these questions, evaluating them through the perspective of international human rights law.
Beneficial ownership publication is in compliance with data protection
First, in reviewing beneficial ownership transparency in light of data protection, it is clear that the disclosure of beneficial ownership information can comply with data protection and other relevant obligations, as a variety of models worldwide demonstrate. Companies in jurisdictions with data protection obligations will typically be exempt from liability under data protection legislation if there is a statutory requirement for them to disclose beneficial ownership data. If there is no statutory requirement, companies would still be entitled to disclose beneficial data on a voluntary basis, under certain conditions. For jurisdictions with neither beneficial ownership disclosure nor data protection obligations, companies would be entitled to disclose beneficial ownership information on a voluntary basis, provided that it did not violate other legal protections for personal information such as breach of confidence. Companies disclosing information of foreign beneficial owners are still required to comply with their domestic legal standards and are therefore unlikely to face liability under the laws of other states.
Beneficial ownership disclosure has a purpose in the public interest
In examining the necessity and effectiveness of public beneficial ownership registers, it is apparent that public registers aim to tackle illicit financial activity and improve commercial transparency. These goals are clearly legitimate and in the public interest. While concerns about the accuracy of data published in public registers are valid, these problems are not unique to a public register – no state registry or financial institution would have the resources or time to comprehensively verify all information provided to them. Moreover, there are convincing arguments for why an open register is uniquely effective: it would allow for greater public oversight and scrutiny and give companies and foreign authorities more efficient, reliable access to beneficial ownership data. While public beneficial ownership registers are not a panacea, even for their strongest supporters, they are nevertheless an important component of a broader strategy to tackle financial crime and improve overall governance.
Beneficial ownership disclosure must reflect individual privacy protections – but can do so and still serve its purpose
When evaluating the privacy and security of registers, it is also important to consider the proportionality of public beneficial ownership registers. Transparency can, in principle, be achieved without endangering the privacy and safety of individuals, but the risks and tensions must be openly discussed and recognized. Striking an appropriate balance will depend on the inclusion and effect of various safeguards, limitations and exceptions. In other words, the debate is not just about why the data is published, but also what is published, and how it is published. It is impossible to provide one-size-fits-all recommendations on which safeguards and limitations are appropriate in all situations: the approach will depend on a range of contextual factors.
However, a set of key underlying factors need to be considered.
In the interest of striking a fair balance between transparency and privacy, governments and companies should not collect and disclose data beyond the minimum that is necessary to achieve their aim or data that poses a significant risk of harm. Conducting a thorough privacy impact assessment can help to identify potential harms and aid decision-making. What is disclosed to the public can be a subset of the data that is collected and available to public authorities, provided that enough information is made publicly available to allow for meaningful oversight and transparency. A carefully designed and narrowly defined exemption process is important to allow individuals with legitimate security or privacy concerns to request that their details are not published on the open register.
 UK Prime Minister’s Office, ‘G8 Action Plan Principles to Prevent the Misuse of Companies and Legal Arrangements,’ 18 June 2013, available at: https://www.gov.uk/government/publications/g8-action-plan-principles-to-prevent-the-misuse-of-companies-and-legal-arrangements/g8-action-plan-principles-to-prevent-the-misuse-of-companies-and-legal-arrangements.
 Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/ EC and 2013/36/EU, OJ L 156, 19 June 2018, pp43-74. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32018L0843 [Accessed 10 March 2019].
 See EITI, ‘Beneficial Ownership: Revealing Who Stands Behind the Companies’. Available at https://eiti.org/beneficial-ownership [Accessed 10 March 2019].
 The B Team, 2015. Developing the Business Case for Beneficial Ownership Transparency. Available at: http://www.bteam.org/reports/the-business-case-for-beneficial-ownership-transparency/ [Accessed September 20, 2018].
Next page: I. Introduction: Beneficial Ownership and Privacy